RE: passwords in asp pages

["Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>]

> I am new to security and I have no training in asp programming, 
> so I am wondering if I am right in being scared of the following 
> instance...

this fear is a wonderful thing, it prevents you from making silly mistakes because you double check any thing.
 
> A IIS based website which has asp pages which contain plaintext 
> passwords for credentials to an sql database on another machine.  
> The passwords are in between <% %> so I assume that means they 
> are only processed on the server and the user does not see them, 
> and there do not seem to be any .inc files calling these pages.  
> The server is also up to date with patches as far as I know.


there are many iis and windows bugs that make reading the explit or gain this info very eaisily, i dont know your 
network setup but in cases where i have to do something like this, i keep the sql server in another subnet and it has 
rules that allow only from the ip of the webserver and that too on the non std port ( not 1433 ) on which the sql 
server in running....

having passwords in plain text is really not good, use any algo like md5 to encrypt the passwd and use that in your 
program, also make it impossible for any one to replace this hash because if i can replace this hash, then i can 
compute the hash before hand and replace it on your server and know the password, 

since you are uning windows 2000, setup a ipsec vpn beteen the 2 computers and only allow secure  communication and 
remove all the useless users and programs, ( in short harden the system, find thses inst on ms website )


> when I said that they could be 
> viewed if their source was viewed, by telling me that they would 
> be only processed by the server itself, which still doesn't make 
> me feel good at all.

there are tons and tons of bugs that allow you to view source code of any system or file.

-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------